feat: complete tOS project with HR, LEAN, Dashboard and Integrations modules
Full enterprise web operating system including: - Next.js 14 frontend with App Router, i18n (DE/EN), shadcn/ui - NestJS 10 backend with Prisma, JWT auth, Swagger docs - Keycloak 24 SSO with role-based access control - HR module (employees, time tracking, absences, org chart) - LEAN module (3S planning, morning meeting SQCDM, skill matrix) - Integrations module (PlentyONE, Zulip, Todoist, FreeScout, Nextcloud, ecoDMS, GembaDocs) - Dashboard with customizable drag & drop widget grid - Docker Compose infrastructure (PostgreSQL 16, Redis 7, Keycloak 24) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
16
docker/.env.example
Normal file
16
docker/.env.example
Normal file
@@ -0,0 +1,16 @@
|
||||
# Docker Compose Environment Configuration
|
||||
# Copy this file to .env in the docker/ directory
|
||||
|
||||
# PostgreSQL
|
||||
POSTGRES_USER=tos_user
|
||||
POSTGRES_PASSWORD=tos_secret_password
|
||||
POSTGRES_DB=tos_db
|
||||
POSTGRES_PORT=5432
|
||||
|
||||
# Redis
|
||||
REDIS_PORT=6379
|
||||
|
||||
# Keycloak
|
||||
KEYCLOAK_ADMIN=admin
|
||||
KEYCLOAK_ADMIN_PASSWORD=admin
|
||||
KEYCLOAK_PORT=8080
|
||||
119
docker/docker-compose.yml
Normal file
119
docker/docker-compose.yml
Normal file
@@ -0,0 +1,119 @@
|
||||
# =============================================================================
|
||||
# tOS Docker Compose Configuration
|
||||
# =============================================================================
|
||||
# Usage:
|
||||
# Start: docker compose up -d
|
||||
# Stop: docker compose down
|
||||
# Logs: docker compose logs -f [service]
|
||||
# Reset: docker compose down -v && docker compose up -d
|
||||
# =============================================================================
|
||||
|
||||
name: tos
|
||||
|
||||
services:
|
||||
# ---------------------------------------------------------------------------
|
||||
# PostgreSQL Database
|
||||
# ---------------------------------------------------------------------------
|
||||
postgres:
|
||||
image: postgres:16-alpine
|
||||
container_name: tos-postgres
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
POSTGRES_USER: ${POSTGRES_USER:-tos_user}
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tos_secret_password}
|
||||
POSTGRES_DB: ${POSTGRES_DB:-tos_db}
|
||||
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
|
||||
ports:
|
||||
- "${POSTGRES_PORT:-5432}:5432"
|
||||
volumes:
|
||||
- postgres_data:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
networks:
|
||||
- tos-network
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Redis Cache & Queue
|
||||
# ---------------------------------------------------------------------------
|
||||
redis:
|
||||
image: redis:7-alpine
|
||||
container_name: tos-redis
|
||||
restart: unless-stopped
|
||||
command: >
|
||||
redis-server
|
||||
--appendonly yes
|
||||
--maxmemory 256mb
|
||||
--maxmemory-policy allkeys-lru
|
||||
ports:
|
||||
- "${REDIS_PORT:-6379}:6379"
|
||||
volumes:
|
||||
- redis_data:/data
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 5s
|
||||
networks:
|
||||
- tos-network
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Keycloak Identity & Access Management
|
||||
# ---------------------------------------------------------------------------
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:24.0
|
||||
container_name: tos-keycloak
|
||||
restart: unless-stopped
|
||||
command:
|
||||
- start-dev
|
||||
- --import-realm
|
||||
environment:
|
||||
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
|
||||
KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
|
||||
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-tos_secret_password}
|
||||
KC_HOSTNAME: localhost
|
||||
KC_HOSTNAME_PORT: ${KEYCLOAK_PORT:-8080}
|
||||
KC_HOSTNAME_STRICT: "false"
|
||||
KC_HOSTNAME_STRICT_HTTPS: "false"
|
||||
KC_HTTP_ENABLED: "true"
|
||||
KC_HEALTH_ENABLED: "true"
|
||||
KC_METRICS_ENABLED: "true"
|
||||
KC_LOG_LEVEL: INFO
|
||||
ports:
|
||||
- "${KEYCLOAK_PORT:-8080}:8080"
|
||||
volumes:
|
||||
- ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
|
||||
healthcheck:
|
||||
# Keycloak 24+ nutzt /health/ready Endpoint
|
||||
# Verwendet bash redirect da curl nicht in UBI9 enthalten ist
|
||||
test: >
|
||||
bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
|
||||
echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
|
||||
timeout 2 cat <&3 | grep -q "200 OK"'
|
||||
interval: 30s
|
||||
timeout: 15s
|
||||
retries: 5
|
||||
start_period: 90s
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: service_healthy
|
||||
networks:
|
||||
- tos-network
|
||||
|
||||
volumes:
|
||||
postgres_data:
|
||||
name: tos-postgres-data
|
||||
redis_data:
|
||||
name: tos-redis-data
|
||||
|
||||
networks:
|
||||
tos-network:
|
||||
name: tos-network
|
||||
driver: bridge
|
||||
208
docker/keycloak/realm-export.json
Normal file
208
docker/keycloak/realm-export.json
Normal file
@@ -0,0 +1,208 @@
|
||||
{
|
||||
"id": "tos",
|
||||
"realm": "tOS",
|
||||
"displayName": "tOS - Enterprise Web Operating System",
|
||||
"displayNameHtml": "<strong>tOS</strong> Enterprise",
|
||||
"enabled": true,
|
||||
"sslRequired": "external",
|
||||
"registrationAllowed": false,
|
||||
"rememberMe": true,
|
||||
"verifyEmail": false,
|
||||
"loginWithEmailAllowed": true,
|
||||
"duplicateEmailsAllowed": false,
|
||||
"resetPasswordAllowed": true,
|
||||
"bruteForceProtected": true,
|
||||
"permanentLockout": false,
|
||||
"maxFailureWaitSeconds": 900,
|
||||
"failureFactor": 5,
|
||||
"defaultSignatureAlgorithm": "RS256",
|
||||
"accessTokenLifespan": 300,
|
||||
"ssoSessionIdleTimeout": 1800,
|
||||
"ssoSessionMaxLifespan": 36000,
|
||||
"roles": {
|
||||
"realm": [
|
||||
{
|
||||
"name": "admin",
|
||||
"description": "Full administrative access to all tOS features",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
"realm": ["hr-manager", "manager", "department_head", "team-lead", "employee"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "hr-manager",
|
||||
"description": "HR management with access to employee data, absences, and time tracking",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
"realm": ["employee"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "manager",
|
||||
"description": "Management access with cross-department visibility",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
"realm": ["department_head", "employee"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "department_head",
|
||||
"description": "Department lead with team management capabilities",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
"realm": ["team-lead", "employee"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "team-lead",
|
||||
"description": "Team lead with direct reports management",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
"realm": ["employee"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "employee",
|
||||
"description": "Standard employee access to basic features",
|
||||
"composite": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"groups": [
|
||||
{
|
||||
"name": "Administrators",
|
||||
"path": "/Administrators",
|
||||
"realmRoles": ["admin"]
|
||||
},
|
||||
{
|
||||
"name": "Management",
|
||||
"path": "/Management",
|
||||
"realmRoles": ["manager"]
|
||||
},
|
||||
{
|
||||
"name": "Departments",
|
||||
"path": "/Departments",
|
||||
"subGroups": [
|
||||
{ "name": "Sales", "path": "/Departments/Sales", "realmRoles": ["employee"] },
|
||||
{ "name": "Accounting", "path": "/Departments/Accounting", "realmRoles": ["employee"] },
|
||||
{ "name": "Warehouse", "path": "/Departments/Warehouse", "realmRoles": ["employee"] },
|
||||
{ "name": "Logistics", "path": "/Departments/Logistics", "realmRoles": ["employee"] },
|
||||
{ "name": "Engineering", "path": "/Departments/Engineering", "realmRoles": ["employee"] },
|
||||
{ "name": "IT", "path": "/Departments/IT", "realmRoles": ["employee"] },
|
||||
{ "name": "Executive", "path": "/Departments/Executive", "realmRoles": ["manager"] },
|
||||
{ "name": "Executive-Assistant", "path": "/Departments/Executive-Assistant", "realmRoles": ["employee"] },
|
||||
{ "name": "HR", "path": "/Departments/HR", "realmRoles": ["employee"] },
|
||||
{ "name": "Procurement", "path": "/Departments/Procurement", "realmRoles": ["employee"] }
|
||||
]
|
||||
}
|
||||
],
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "tos-frontend",
|
||||
"name": "tOS Frontend Application",
|
||||
"enabled": true,
|
||||
"publicClient": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": false,
|
||||
"protocol": "openid-connect",
|
||||
"secret": "${KEYCLOAK_FRONTEND_CLIENT_SECRET:-tos-frontend-secret-CHANGE-IN-PRODUCTION}",
|
||||
"rootUrl": "http://localhost:3000",
|
||||
"baseUrl": "http://localhost:3000",
|
||||
"redirectUris": ["http://localhost:3000/*", "http://127.0.0.1:3000/*"],
|
||||
"webOrigins": ["http://localhost:3000", "http://127.0.0.1:3000"],
|
||||
"attributes": {
|
||||
"pkce.code.challenge.method": "S256",
|
||||
"post.logout.redirect.uris": "http://localhost:3000/*"
|
||||
},
|
||||
"defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
|
||||
},
|
||||
{
|
||||
"clientId": "tos-backend",
|
||||
"name": "tOS Backend API",
|
||||
"enabled": true,
|
||||
"publicClient": false,
|
||||
"standardFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": true,
|
||||
"protocol": "openid-connect",
|
||||
"secret": "${KEYCLOAK_BACKEND_CLIENT_SECRET:-tos-backend-secret-CHANGE-IN-PRODUCTION}",
|
||||
"rootUrl": "http://localhost:3001",
|
||||
"baseUrl": "http://localhost:3001",
|
||||
"redirectUris": ["http://localhost:3001/*"],
|
||||
"webOrigins": ["http://localhost:3001"],
|
||||
"defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"username": "admin",
|
||||
"email": "admin@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "System",
|
||||
"lastName": "Administrator",
|
||||
"credentials": [{ "type": "password", "value": "admin123", "temporary": true }],
|
||||
"realmRoles": ["admin"],
|
||||
"groups": ["/Administrators"]
|
||||
},
|
||||
{
|
||||
"username": "manager",
|
||||
"email": "manager@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "Max",
|
||||
"lastName": "Manager",
|
||||
"credentials": [{ "type": "password", "value": "manager123", "temporary": true }],
|
||||
"realmRoles": ["manager"],
|
||||
"groups": ["/Management"]
|
||||
},
|
||||
{
|
||||
"username": "depthead",
|
||||
"email": "depthead@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "Diana",
|
||||
"lastName": "DepartmentHead",
|
||||
"credentials": [{ "type": "password", "value": "depthead123", "temporary": true }],
|
||||
"realmRoles": ["department_head"],
|
||||
"groups": ["/Departments/IT"]
|
||||
},
|
||||
{
|
||||
"username": "employee",
|
||||
"email": "employee@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "Eva",
|
||||
"lastName": "Employee",
|
||||
"credentials": [{ "type": "password", "value": "employee123", "temporary": true }],
|
||||
"realmRoles": ["employee"],
|
||||
"groups": ["/Departments/IT"]
|
||||
},
|
||||
{
|
||||
"username": "hrmanager",
|
||||
"email": "hrmanager@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "Hannah",
|
||||
"lastName": "HRManager",
|
||||
"credentials": [{ "type": "password", "value": "hrmanager123", "temporary": true }],
|
||||
"realmRoles": ["hr-manager"],
|
||||
"groups": ["/Departments/HR"]
|
||||
},
|
||||
{
|
||||
"username": "teamlead",
|
||||
"email": "teamlead@tos.local",
|
||||
"emailVerified": true,
|
||||
"enabled": true,
|
||||
"firstName": "Tim",
|
||||
"lastName": "TeamLead",
|
||||
"credentials": [{ "type": "password", "value": "teamlead123", "temporary": true }],
|
||||
"realmRoles": ["team-lead"],
|
||||
"groups": ["/Departments/Engineering"]
|
||||
}
|
||||
],
|
||||
"internationalizationEnabled": true,
|
||||
"supportedLocales": ["de", "en"],
|
||||
"defaultLocale": "de"
|
||||
}
|
||||
Reference in New Issue
Block a user